Hey !
it looks like the Bug bash has brought a few Pull Requests
https://github.com/apache/zookeeper/pulls
Unfortunately they are not following the contribution guidelines (for
instance there is no associated JIRA)
https://cwiki.apache.org/confluence/display/ZOOKEEPER/HowToContribute -
Most of the PR are about trivial fixes, I am not sure if a JIRA is deserved.
What should we do?
My proposal is to ping the contributor in order to obey the guide and
then finally accept the patches, as Micheal Han did in this patch
https://github.com/apache/zookeeper/pull/1470
I don't want to see that patches remaining on github as low hanging
fruit, so it is better that we decide how to work on them,
another option is to close them as invalid (It would be a pity IMHO)
Enrico
Il giorno lun 28 set 2020 alle ore 15:03 Tom DuBuisson <to...@muse.dev
<mailto:to...@muse.dev>> ha scritto:
Enrico,
That sounds great. We'll get the repo activated.
Tom
On Sun, Sep 27, 2020, 11:11 PM Enrico Olivelli <eolive...@gmail.com
<mailto:eolive...@gmail.com>> wrote:
> Tom
> Overall I think that we can move forward.
>
> This thread has been around for a while, there are no objections,
every
> question has been answered.
>
> Thank you very much
>
> I hope this activity will help in growing Zookeeper project both
in code
> quality and with more contributions, that is to help the
community to grow.
>
> Best regards
>
> Enrico
>
> Il Lun 28 Set 2020, 01:27 Tom DuBuisson <to...@muse.dev
<mailto:to...@muse.dev>> ha scritto:
>
> > Norbert,
> >
> > Yes, you understand that correctly. And those analyzers are
FindSecBugs,
> > Error Prone and Infer. All open source and in moderate to wide use
> > already. Only find sec bugs is security specific - Infer and
Error Prone
> > might find security bugs but they are more general purpose in
nature.
> >
> > -Tom
> >
> > On Sun, Sep 27, 2020 at 3:43 PM Norbert Kalmar
> > <nkal...@cloudera.com.invalid>
> > wrote:
> >
> > > Hello Tom,
> > >
> > > +1 on the initiative, thanks for bringing this to our attention.
> > >
> > > If I understand correctly, there will be no disclosed
security issues
> > which
> > > cannot be found with open source static analyzers.
> > >
> > > Regards,
> > > Norbert
> > >
> > >
> > > On Sun, Sep 27, 2020 at 8:23 AM Szalay-Bekő Máté <
> > > szalay.beko.m...@gmail.com <mailto:szalay.beko.m...@gmail.com>>
> > > wrote:
> > >
> > > > Hello Guys,
> > > >
> > > > In general I like the idea, but unfortunately I can not really
> > > participate
> > > > (either in the coding or in the review) as I have a few
important
> > > projects
> > > > close to deadline at the moment.
> > > >
> > > > My only concern is with the security bugs, which I don't
like to be
> > > openly
> > > > reported before publishing a release with the fix. But for
any other
> > kind
> > > > of bugfixes / improvements, I am very positive with the
initiative.
> > > >
> > > >
> > > > Best regards,
> > > > Mate
> > > >
> > > > On Sun, Sep 27, 2020, 07:06 Tom DuBuisson <to...@muse.dev
<mailto:to...@muse.dev>> wrote:
> > > >
> > > > > Enrico et al,
> > > > >
> > > > > Are there other thoughts on this? It would be great to
get setup
> > > before
> > > > > the bash actually begins. Enrico, lacking other voices
would you
> > like
> > > to
> > > > > make a final call?
> > > > >
> > > > > -Tom
> > > > >
> > > > > On Thu, Sep 24, 2020 at 3:30 AM Enrico Olivelli <
> eolive...@gmail.com <mailto:eolive...@gmail.com>
> > >
> > > > > wrote:
> > > > >
> > > > > > Tom,
> > > > > > Personally I am +1 with this proposal. Thanks for your
> > > clarifications.
> > > > > >
> > > > > > But we should ear opinions from other people in this list
> > > > > >
> > > > > >
> > > > > > Enrico
> > > > > >
> > > > > > Il giorno mer 23 set 2020 alle ore 23:51 Tom DuBuisson <
> > > to...@muse.dev <mailto:to...@muse.dev>
> > > > >
> > > > > ha
> > > > > > scritto:
> > > > > >
> > > > > > > Enrico,
> > > > > > >
> > > > > > > On the topic security issues and reporting: Muse's
default
> > > > > configuration
> > > > > > > is open source tools and here it is run on open source
> projects.
> > > The
> > > > > > > results are thus already available publicly (in this
case from
> > FSB,
> > > > > > Infer,
> > > > > > > and Error Prone). Muse doesn't post anything to
GitHub except
> in
> > > the
> > > > > > case
> > > > > > > of pull requests and then only if the bug is deemed
to have
> been
> > > > > > > "introduced" as part of the PR - meaning it shouldn't
be a
> > > > > vulnerability
> > > > > > in
> > > > > > > currently shipped software.
> > > > > > >
> > > > > > > If there are desires or proposals about more control
over bug
> > > reports
> > > > > in
> > > > > > a
> > > > > > > convenient, configurable, manner then we'd really
like to dig
> in
> > > and
> > > > > hear
> > > > > > > how to help. In case there is more discussion on
this point
> I'm
> > > > CCing
> > > > > > > Andrew who leads Muse's product design.
> > > > > > >
> > > > > > > -Tom
> > > > > > >
> > > > > > > On Wed, Sep 23, 2020 at 1:09 PM Enrico Olivelli <
> > > eolive...@gmail.com <mailto:eolive...@gmail.com>
> > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Il Mer 23 Set 2020, 19:02 Tom DuBuisson
<to...@muse.dev <mailto:to...@muse.dev>> ha
> > > > scritto:
> > > > > > > >
> > > > > > > > > Enrico,
> > > > > > > > >
> > > > > > > > > The Muse App requires two main abilities. First
is events,
> > > such
> > > > as
> > > > > > > > > notification when pull requests are opened or
updated.
> > Second
> > > is
> > > > > > > > > permission to post comments (which is always
possible for
> > > humans
> > > > > but
> > > > > > > more
> > > > > > > > > tightly controlled when the poster authenticates as a
> github
> > > > > > > > application).
> > > > > > > > > The repository being public has allowed us to run
the app
> and
> > > > > observe
> > > > > > > > > ErrorProne, Infer, and FindSecBugs all run out of
the box
> and
> > > > > without
> > > > > > > > > custom configuration.
> > > > > > > > >
> > > > > > > >
> > > > > > > > Makes sense.
> > > > > > > >
> > > > > > > > One last question from my side
> > > > > > > > What about security issues?
> > > > > > > > Our policy is to have them reported to
> > > > secur...@zookeeper.apache.org
<mailto:secur...@zookeeper.apache.org>
> > > > > > > > before
> > > > > > > > public disclosure
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Enrico
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > Cheers,
> > > > > > > > > Tom
> > > > > > > > >
> > > > > > > > > On Wed, Sep 23, 2020 at 6:35 AM Enrico Olivelli <
> > > > > eolive...@gmail.com <mailto:eolive...@gmail.com>
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Il Mer 23 Set 2020, 00:44 Tom DuBuisson
<to...@muse.dev <mailto:to...@muse.dev>>
> > ha
> > > > > > scritto:
> > > > > > > > > >
> > > > > > > > > > > Zookeeper Developers,
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > As part of our sponsorship of ApacheCon, our
company
> > > MuseDev
> > > > is
> > > > > > > > doing a
> > > > > > > > > > Bug
> > > > > > > > > > > Bash for select Apache projects. We'll bring
members of
> > the
> > > > > > > ApacheCon
> > > > > > > > > > > community together to find and fix a range of
security
> > and
> > > > > > > > performance
> > > > > > > > > > bugs
> > > > > > > > > > > during the conference, and gameify the
experience with
> > > > teams, a
> > > > > > > > > > > leaderboard, and prizes. The bash is open to
everyone
> > > whether
> > > > > > > > attending
> > > > > > > > > > the
> > > > > > > > > > > conference or not, and our whole dev team
will also be
> > > > > > > participating
> > > > > > > > to
> > > > > > > > > > > help fix as many bugs as we can.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > We're seeding the bug list with results from
Muse, our
> > code
> > > > > > > analysis
> > > > > > > > > > > platform, which runs as a Github App and
comments on
> > > possible
> > > > > > bugs
> > > > > > > as
> > > > > > > > > > part
> > > > > > > > > > > of the pull request workflow. Here's an
example of
> what
> > it
> > > > > looks
> > > > > > > > like:
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > https://github.com/curl/curl/pull/5971#discussion_r490252196
> > > > > > > > > > > <https://github.com/curl/curl/pull/5971>
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > We explored a number of Apache projects and are
> reaching
> > > out
> > > > > > > because
> > > > > > > > > our
> > > > > > > > > > > analysis through Muse found some interesting
bugs that
> > > could
> > > > be
> > > > > > > fixed
> > > > > > > > > > > during the Bash.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > We're writing to see if you'd be interested
in having
> > your
> > > > > > project
> > > > > > > > > > included
> > > > > > > > > > > in the Bash. Everything is set up on our end,
and if
> > you're
> > > > > > > > interested,
> > > > > > > > > > we
> > > > > > > > > > > would need you to say yes on this listserv,
and we’ll
> > work
> > > > with
> > > > > > the
> > > > > > > > > > Apache
> > > > > > > > > > > Infrastructure team to grant Muse access to
your Github
> > > > mirror.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > It is a public repo, which kind of access does
it need?
> > > > > > > > > >
> > > > > > > > > > Enrico
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > We'll then
> > > > > > > > > > > make sure it's all set-up and ready for the
Bash. And
> of
> > > > > course,
> > > > > > > > > everyone
> > > > > > > > > > > on the project is most welcome to join the
Bash and
> help
> > us
> > > > > smash
> > > > > > > > some
> > > > > > > > > > > bugs.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > -Tom
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
